1. Field of the Invention
The present invention generally relates to the field of internet traffic and, more particularly, to a system and method for controlling internet traffic to mitigate effects of malicious traffic, including distributed denial of service (DDOS) attacks.
2. Description of the Related Art
Computers connected via a network, such as the Internet, are identified by a unique identifier. For most computers, which use the Transmission Control Protocol/Internet Protocol (TCP/IP), this unique identifier is called an internet protocol address, or IP address. IP addresses can be static or, more commonly, dynamic.
Generally, a first computer on a network can attempt to access a second computer on the same network directly, via the second computer's IP address. More commonly, the user of a first computer will only know the “name” of the intended destination, not the IP address of the destination. Using the Domain Name System, or DNS, the user of the first computer can access the destination without knowledge of the destination's IP address.
The DNS uses a process called DNS name resolution to find a specific IP address, given a particular domain name. For example, if a user was attempting to access the domain example.com, the user would enter the name into a web browser's address bar, and the DNS would resolve the IP address for that domain.
The DNS has a hierarchical structure and utilizes a large number of DNS servers that store records for a given domain name and respond with answers to queries, such as asking for the IP address for a given domain name.
An authoritative DNS server is a DNS server that gives answers in response to queries for a particular DNS zone. Every domain name appears in a zone that is served by at least one authoritative name server.
If a particular DNS server cannot answer a query, it may query other DNS servers that are higher up in the hierarchy by performing a reverse look-up. The number of DNS servers has grown as use of the Internet has expanded.
Many devices have been developed to protect servers and networks from malicious attacks coming from the Internet. Typically, these devices fall into the category of firewalls and specialized routers. Generally, a firewall is any security system that controls network traffic by applying a set of rules. Essentially, a firewall is a barrier between a secure network and another, unsecure network (i.e., the Internet).
Internet traffic can also be regulated using white lists, black lists, and/or grey lists to manage a set of allowed or denied users. For example, U.S. Pat. No. 7,849,502 and U.S. Patent Application Publication Nos. 2012/0079592 and 2008/0168558 describe the creation, management, and use of various types of white, black, and grey lists.
Each and every reference cited herein is hereby incorporated by reference in its entirety, where appropriate, for teachings of additional or alternative details, features, and/or technical background.
Firewalls and specialized routers may typically utilize source IP detection, packet and content analysis, traffic pattern analysis, and an array policies and rules to filter out malicious traffic and content. Some devices are scalable to handle higher levels of traffic and larger scale malicious attacks.
One type of Internet-based attack is a DDOS attack. Generally, a DDOS attack is an attempt to make a target computer or server unavailable to its intended users by preventing the target from functioning. During a DDOS attack, the attacker(s) generate a large volume of connection attempts directed at the target's IP address or addresses. Commonly, these connection attempts are directed at the target's authoritative DNS servers. The intended result of such a large number of connection attempts is that the target is overloaded such that it is unable to service legitimate connection attempts from valid users.
Some DDOS attacks can be defended via traditional methods such as firewalls. However, in recent years, the scale of some DDOS attacks has become unprecedentedly large and long in duration, overwhelming the capabilities and resources of the largest and most powerful firewalls and defense systems.